8-14 Oracle Fusion Middleware Application Security Guide and it is that port that should be specified in this step. Reassociation through a two-way SSL channel is not supported in this release. Fusion Middleware Control modifies the file weblogic.policy by adding the necessary grant to support the anonymous SSL connection.

3. In the text box Connect DN, enter the full distinguished name, a string

containing between 1 and 256 characters. For example, cn=orcladmin,dc=us,dc=oracle,dc=com.

4. In the box Password, enter the user password, also a string containing

between 1 and 256 characters. 5. To verify that the connection to the LDAP server using the entered data works, click the button Test LDAP Authentication. If you run into any connection problem, see Section L.9, Failure to Establish an Anonymous SSL Connection.

5. In the Root Node Details area, enter the root DN in the box Root DN, which

identifies the top of the tree that contains the data in the LDAP repository. The Domain Name defaults to the name of the selected domain. To solve most common errors arising from the specifications in these two fields, see Section L.2, Reassociation Failure.

6. Optionally, in the Policy Store Properties and Credential Store Properties areas,

enter service instance properties, such as Enable Lazy Load and Role Member Cache Size. To add a new property: click Add to display the Add New Property dialog; in this dialog, enter strings for Property Name and Value; click OK. The added property-value pair is displayed in the table Custom Properties. These properties are typically used to initialize the instance when it is created. A property-value pair you enter modifies the domain configuration file jps-config.xml by adding a property element in the configuration of the LDAP service instance. To illustrate how a service instance is modified, suppose you enter the property name foo and value bar; then the configuration for the LDAP service instance changes to contain a property element as illustrated in the following excerpt: serviceInstance name=myNewLDAPprovider provider=someProvider ... property name=foo value=bar ... serviceInstance

7. When finished entering your data, click OK to return to the Security Provider

Configuration page. The system displays a dialog notifying the status of the reassociation. The table in the Security Stores area is modified to reflect the provider you have specified. 8. Restart the application server. Changes do not take effect until it has been restarted. Reassociation modifies the domain configuration file DOMAIN_HOMEconfigfmwconfigjps-config.xml: it deletes any configuration for the old store provider, inserts a configuration for the new store provider, and moves the policy and credential information from the source to the destination store. Configuring the OPSS Security Store 8-15 If the destination store is LDAP-based, the information is stored under the domain DN according to the following format: cn=domain_name,cn=JpsContext,JPS ROOT DN As long as the configuration of the installation relies upon the above domain DN, that node should not be deleted from the LDAP Server.

8.5.1.1 Setting Up a One- Way SSL Connection

This section describes how to set up a one-way SSL channel between Oracle WebLogic server or a Java SE application and the LDAP Oracle Internet Directory target of a reassociation. This set up is optional, but, if required, it should be in place before reassociating the OPSS security store. Prerequisite: Configuring the Oracle Internet Directory Server To configure the Oracle Internet Directory server to listen in one-way SSL mode, see section Enabling SSL on Oracle Internet Directory Listeners in Oracle Fusion Middleware Administrators Guide. Exporting Oracle Internet Directory’s Certificate Authority CA The use of orapki to create a certificate is needed only if the CA is unknown to the Oracle WebLogic server. The following sample illustrates the use of this command to create the certificate serverTrust.cert: orapki wallet export -wallet CA -dn CN=myCA -cert serverTrust.cert The above invocation prompts the user to enter the keystore password. Before You Begin Before configuring SSL, note that: ■ The following procedures are required if the type of SSL being established is server-auth, and they are not required in any other case no-auth or client-auth. ■ If the flags specified in the procedures below are used in a multi-application environment, then the trust store must be shared by all those applications. Setting Up the WebLogic Server in Case of a Java EE Application The difference in the following procedures is because the identity store service and the policy store service use different socket factories. To establish a one-way SSL connection between the server and the identity store, proceed as follows if applicable, the trust CA is assumed exported: 1. If the CA is known to the Oracle WebLogic server, skip this step; otherwise, use the utility keytool to import the Oracle Internet Directory’s CA into the WebLogic truststore. The following invocation, which outputs the file myKeys.jks, illustrates the use of this command to import the file serverTrust.cert: keytool -import -v -trustcacerts -alias trust -file serverTrust.cert -keystore myKeys.jks -storepass keyStorePassword 2. Modify the script typically startWebLogic.sh that starts the server to include a line like the following, and then restart the server: